The Office of Inspector General oversighting one of the most important federal agencies in the US Government analyzed internal practices for password management and complexity. The result is startling, to say the least: the US Department of the Interior is doing almost everything wrong, exposing the Government body to grave consequences in case of a successful, state-sponsored cyber-attack. The auditors tested cryptographic hashes for 85,944 employees’ active directory (AD) accounts, using a database of more than 1.5 billion words which included dictionaries of multiple languages, US government terminology, pop culture references, publicly available password lists taken from past data breaches, common keyboard patterns like “qwerty” and the like. The final result wasn’t reassuring in the slightest: of the 85,944 total cryptographic hashes, the auditors were able to crack 18,174 (21%); 288 of the insecure accounts had elevated access privileges, while 362 accounts belonged to senior government employees. It took just 90 minutes of testing to crack 16% of the Department’s user accounts.

The list of most common passwords included masterworks like “Password-1234” (478 accounts), Br0nc0$2012 (389), Password123$ (318), Password1234 (274), Summ3rSun2020! (191), 0rlando_0000 (160), Password1234! (150), ChangeIt123 (140), 1234password$ (138), ChangeItN0w! (130). Passwords were mostly based on a single dictionary word with some common character replacement here and there, which made the cracking job easier. For the aforementioned cracking job, the auditors assembled a couple of rigs with 8 GPUs each and a management console by spending less than $15,000. The GPUs were 2 and 3 generations behind current-gen boards, which is even more troublesome considering the performance leap experienced with every new GPU generation. Furthermore, 99.99% of the cracked password were perfectly in line with the department’s password complexity requirement, including a minimum of 12 characters, at least three of four characters types, etc. “Even though a password meets requirements because it includes uppercase, lowercase, digits, and a special character,” the final report states, it still is “extremely easy to crack.” In practice, the “stronger” passwords used by the US Government can still be very weak when based on a single dictionary word. Even worse, 89% of the cracked accounts belonging to high-value assets (25 out of 28) didn’t implement any form of multi-factor authentication (MFA), a weakness that could severely impact the agency operations in case of a cyberattack. MFA consistency was indeed an issue across all the analyzed accounts.